package com.google.commerce.tapandpay.android.security.storagekey;

import com.google.android.libraries.commerce.hce.util.Hex;
import com.google.common.base.Preconditions;
import com.google.common.flogger.GoogleLogger;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.Mac;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: classes.dex */
public final class StorageCrypto {
    private static final GoogleLogger logger = GoogleLogger.forInjectedClassName("com/google/commerce/tapandpay/android/security/storagekey/StorageCrypto");
    public static final byte[] DERIVATION_INFO = "TapAndPayDEKInfo".getBytes(StandardCharsets.UTF_8);
    public static final byte[] DERIVATION_SALT = sha256$ar$ds();

    public static final byte[] decryptBytes$ar$objectUnboxing(byte[] bArr, SecretKeySpec secretKeySpec, SecretKeySpec secretKeySpec2) {
        if (bArr == null) {
            return null;
        }
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            int blockSize = cipher.getBlockSize();
            int length = bArr.length;
            Preconditions.checkArgument(length >= blockSize);
            int i = length - 32;
            int i2 = i - blockSize;
            byte[] bArr2 = new byte[i2];
            System.arraycopy(bArr, blockSize, bArr2, 0, i2);
            byte[] bArr3 = new byte[32];
            System.arraycopy(bArr, i, bArr3, 0, 32);
            if (!Arrays.equals(hmacSHA256(secretKeySpec2, bArr2), bArr3)) {
                throw new InvalidKeyException("hmac did not verify. Rejected hmacDigest: ".concat(Hex.encodeUpper(bArr3)));
            }
            cipher.init(2, secretKeySpec, new IvParameterSpec(bArr, 0, blockSize));
            return cipher.doFinal(bArr, blockSize, (length - blockSize) - 32);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            ((GoogleLogger.Api) ((GoogleLogger.Api) ((GoogleLogger.Api) logger.atWarning()).withCause(e)).withInjectedLogSite("com/google/commerce/tapandpay/android/security/storagekey/StorageCrypto", "decryptBytes", 'O', "StorageCrypto.java")).log("Unable to decrypt payload. Have you switched environments without clearing app data?");
            throw new IllegalArgumentException("Unable to decrypt payload");
        }
    }

    public static final byte[] encryptBytes$ar$objectUnboxing(byte[] bArr, SecretKeySpec secretKeySpec, SecretKeySpec secretKeySpec2) {
        if (bArr == null) {
            return null;
        }
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            boolean z = true;
            cipher.init(1, secretKeySpec);
            byte[] doFinal = cipher.doFinal(bArr);
            byte[] iv = cipher.getIV();
            byte[] hmacSHA256 = hmacSHA256(secretKeySpec2, doFinal);
            if (hmacSHA256.length != 32) {
                z = false;
            }
            Preconditions.checkArgument(z);
            int length = iv.length;
            int length2 = doFinal.length;
            int i = length + length2;
            byte[] copyOf = Arrays.copyOf(iv, i + 32);
            System.arraycopy(doFinal, 0, copyOf, length, length2);
            System.arraycopy(hmacSHA256, 0, copyOf, i, 32);
            return copyOf;
        } catch (InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            ((GoogleLogger.Api) ((GoogleLogger.Api) ((GoogleLogger.Api) logger.atWarning()).withCause(e)).withInjectedLogSite("com/google/commerce/tapandpay/android/security/storagekey/StorageCrypto", "encryptBytes", (char) 145, "StorageCrypto.java")).log("Unable to encrypt payload");
            throw new IllegalArgumentException("Unable to encrpyt payment bundles");
        }
    }

    private static byte[] hmacSHA256(SecretKeySpec secretKeySpec, byte[] bArr) {
        Mac mac = Mac.getInstance("HmacSHA256");
        mac.init(secretKeySpec);
        return mac.doFinal(bArr);
    }

    private static byte[] sha256$ar$ds() {
        try {
            return MessageDigest.getInstance("SHA-256").digest("TapAndPaySaltySalt".getBytes(StandardCharsets.UTF_8));
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("No security provider initialized yet?", e);
        }
    }
}
